April 2012

April 29, 2012

Stumbled across an interesting video we did last year with HP for their Coffee Coaching series. If you are interested in understanding how to leverage HP's server line along with Microsoft's Small Business Server and Scorpion Software's RWWGuard, this episode is for you.

The combination is a better together solution that just works. With the rich remote access experience of RWA secured with our AuthAnvil solution stack, you can have an anywhere, anytime access on almost any device... while still being confident in knowing who is accessing such resources.

April 26, 2012

In this episode of Crack the Cred, Dana shows us how to seize a domain controller by using a Windows Server loophole that allows you to change the admin password.

If you cannot see the embedded video above, please visit www.crackthecred.tv to watch this, and all other episodes. You can also follow the conversation there via Facebook and Twitter and leave your own thoughts and comments.

April 25, 2012

Learn how AuthAnvil can strengthen your IT security with Enterprise Class Two Factor Authentication, Password Management and Single Sign On, all seamlessly integrated within the Kaseya Management Console.

Stop by our booth in the Partner Pavilion at the Kaseya Connect User Conference and receive a free AuthAnvil SoftToken ($50 value).

April 13, 2012

Today, we’re going to take a look at the proper management of AuthAnvil Password Vault Backup files (.pvb files). Once your server is properly configured, hardened, and authenticating users, the most important part of AuthAnvil Password Vault server maintenance is making sure that you take regular backups of the AuthAnvil Password Vault Database. The AuthAnvil Password Vault includes a utility for managing backups, AAPVBackup.exe. It is a command line tool, making it easy to script or schedule using an automated task. You can find instructions on how to do so in the AuthAnvil Password Vault Install Guide.

Today’s best practice, however, is not about making backups, it’s about what you do with your backups afterwards. An AuthAnvil Password Vault pvb file stores all of your user, password, and logging information in a format that can be easily imported back into the database. Take note that pvbs also include all of your certificates and encryption keys, and the file itself is not protected in any way, so it can easily be accessed and modified.

To make sure that your backups stay uncompromised, encrypt or otherwise protect them and keep them in a safe place; somewhere that you can audit access to. Don’t forget, one backup copy is never enough, and test your restores from time to time. It’s easy to import pvbs to a test server using the AuthAnvil Password Vault installer or AAPVBackup.exe.

As always, if you have any best practices questions that you’d like to see addressed, please send them to support@scorpionsoft.com, and we’ll post the answers here.

April 12, 2012

For the next part of the AuthAnvil Password Vault best practices series, we’re going to look at the AuthAnvil Password Vault web services. When you install the AuthAnvil Password Vault, it adds a single virtual directory to your IIS website of choice: AAPV. This directory contains the AuthAnvil Password Vault front-end web application and the AuthAnvil Password Vault back-end web service. The web application is what users interact with on a daily basis. The web service is what does all of the heavy lifting. It handles requests from the web application and any sync agents and communicates with the database.

Part of the magic of the web service is that it uses message-level encryption to allow it to securely communicate over an http connection, and, in fact, requires an http connection to function. The connection-level encryption of SSL causes a conflict, causing any communication attempts to fail. This means that the AuthAnvil Password Vault cannot successfully be installed on any IIS website that does not have an http binding, or that requires SSL for all communications. However, having an SSL binding with a trusted 3rd party certificate configured on the website is still strongly recommended, because, while the communication between the web application and the web service uses message level encryption, the communication between the web application and the client does not, so it should be protected by SSL.

If you want to limit http access to the AuthAnvil Password Vault, the best way to do so is by applying an appropriate rule on your firewall. If you do not plan to use sync agents, then you can limit communications over http to localhost only, and use the instructions in Appendix B of the AuthAnvil Password Vault Installation Guide to change the web service URL so that the web application can continue to communicate with it. If you do plan to use sync agents, simply add exceptions for their IP addresses in the firewall as well. Everybody else will be forced to communicate over SSL, ensuring secure communications with the AuthAnvil Password Vault web application.

As always, if you have any best practices questions that you’d like to see addressed, please send them to support@scorpionsoft.com, and we’ll post the answers here.

April 11, 2012

In this episode of Crack the Cred, Dana shows Microsoft's officially supported way to get into a local Windows account when you don't have the password using DaRT.

If you cannot see the embedded video above, please visit www.crackthecred.tv to watch this, and all other episodes. You can also follow the conversation there via Facebook and Twitter and leave your own thoughts and comments.

April 10, 2012

What if I told you that you never had to manually update a Windows password as part of your regular workflow again? That would be pretty nice, wouldn’t it? No more coming up with new passwords, manually changing them and then recording and distributing them. That’s where AuthAnvil Password Vault Sync Agents come in. If you have Sync Agents deployed to the networks that you manage, and create a Windows password in the AuthAnvil Password Vault, you have the option to synchronize that password against the machine the sync agent is installed on, another machine on the same network, or the local Active Directory domain. This means that every time you update the password in the AuthAnvil Password Vault, it is automatically changed on the target machines, and can even be changed for Scheduled Tasks and Windows Services as well.

This workflow, however, still means that you need to manually update the password. The AuthAnvil Password Vault can do you one better. Whenever you create or modify a password, you can set the number of days before it expires. You can set it to zero if you never want it to expire, with the default value being 42 days. If it is set to a value greater than zero, however, you can check the “Enable automatic password regeneration when this password expires” checkbox under the Synchronization panel. With this checked, the AuthAnvil Password Vault will automatically generate a new password based on the vault’s settings and synchronize it to the target machine with no user interaction required.

This lets the vault take care of the entire process of generating, updating, recording, and distributing passwords without you having to lift a finger. Pretty cool, eh?

April 05, 2012

What happens when a password in the AuthAnvil Password Vault gets out of sync? A vault owner can initiate an administrative override. When a sync error occurs, the vault owner(s) will get an email letting them know that the synchronization failed, and give them a reason why. The password in our example was changed on the machine, rather than changed in the AuthAnvil Password Vault. So, when the AuthAnvil Password Vault did it’s daily sync test, I got the below email, letting me know that the sync test had failed. It also let me know that I would need to do an administrative override, which allows me to set a new password in the AuthAnvil Password Vault and forcibly re-sync it to the machine, overwriting the existing password, using administrative credentials from that system.

Once logged into the AuthAnvil Password Vault, clicking the link takes us to the Administrative override page, where we provide administrative credentials for the system, along with the new password that we would like to use, then hit “Approve”. The password is updated in the AuthAnvil Password Vault and will be synchronized the next time the sync agent checks in.

Mistakes happen, and passwords will get out of sync, but the AuthAnvil Password Vault proactively makes sure that the right people know that there is a problem and makes it easy for them to fix it.

April 04, 2012

Continuing with AuthAnvil Password Vault Best Practices, another common question is: "Which" server inside the office should the AuthAnvil Password Vault be installed to? If you ensure it meets the base requirements, it can go pretty much anywhere. However, some thought should go into how you use the AuthAnvil Password Vault to help make that decision more clear.

First, are you going to have users that will access the AuthAnvil Password Vault from external locations? If so, then you will want to make sure the server can be accessed from the Internet. It will also require a valid SSL certificate from a trusted CA. Even something as simple as a GoDaddy certificate on a typical IIS web server will do. Just make sure that it can be reached.

Now, if you want to put it on a different server then the one you may be directing SSL traffic to already, that is OK. If you are using a NAT device, simply do port redirection. This might mean you map port 4443 to 443 on the second server. Or you can configure IIS on the second server to bind SSL to 4443 to begin with. You will need that if you are using those inexpensive Linksys or DLink devices.

After you have thought about Internet connectivity issues and SSL, you should consider work loads. The AuthAnvil Password Vault itself uses very little resources. It was designed to work in resource starved environments like Small Business Server. However, the SQL database always represents a certain amount of overhead. You may decide to install the AuthAnvil Password Vault itself on an edge device, but have the database hosted on the company SQL server elsewhere. That is an acceptable scenario which is available in the installer. If you have a SQL server anywhere in your network, we can use it. Splitting it like this helps to offload resources, while leveraging your existing investment in IT like SQL.

After considering your workloads with SQL, think about the fact that the AuthAnvil Password Vault can run on a domain joined server, or on a standalone system, meaning that you can install it anywhere on your network. It is really up to you. There is even nothing wrong with installing the AuthAnvil Password Vault on the domain controller itself. I know that may surprise many of you, but the AuthAnvil Password Vault was designed to work on a DC, if required. Mostly because our history starts with building AuthAnvil Two Factor Auth to run on Small Business Server, where that is the case already. It has been extended as we moved beyond that platform because we have found so many competitors CAN'T run on a domain controller, and want a dedicated server anyways. Not so with the AuthAnvil Password Solutions stack.

Ultimately, you can install the AuthAnvil Password Vault on ANY server in your organization, as long as it is running Windows Server 2003 or newer, on either 32bit or 64bit environments (except SBS 2003). It needs to have IIS installed with ASP.NET 4.0, with access to SQL somewhere on the network. If you don't have SQL, then the installer will have SQL Express installed and secured for you... to make it all neat and tidy.

Just remember that if you want to access the AuthAnvil Password Vault from your notebooks while in the field, or from client networks outside the office, it needs to be exposed to the Internet.

As always, if you have any best practices questions that you’d like to see addressed, please send them to support@scorpionsoft.com, and we’ll post the answers here.

April 03, 2012

One of the things that we have been focusing on in this blog are some of the best practices surrounding AuthAnvil Two Factor Auth. With the release of the AuthAnvil Password Vault and AuthAnvil Single Sign On, we’re expanding the series to cover the new products as well. To begin, let’s take a look at the first question that people ask about the AuthAnvil Password Vault: “What platform should I run my AuthAnvil Password Vault server on?”

The answer: Our recommendation is Windows Server 2008 or Server 2008 R2. The AuthAnvil Password Vault fully supports Microsoft server platforms based on Windows Server 2003, 2008 and 2008 R2, (except SBS 2003, which does not support the Microsoft .NET Framework 4.0). However, Server 2008 and Server 2008 R2 and their variants, such as SBS 2008 and SBS 2011, win hands down. Not only are they much more modern operating systems, but they are far more secure and robust. They also include IIS 7, which is a stable web platform that is far more flexible and extensible than its predecessor. Most importantly, they include a couple cool new features, such as the ability to trigger actions based on event log entries, which can be very helpful when monitoring an AuthAnvil Password Vault server.

The other part to this question is whether to run the AuthAnvil Password Vault on physical hardware or virtualized. It will run equally well on either, and has been extensively tested against virtual machines, with many customers running virtual AuthAnvil Password Vault servers in the field. Which platform you choose depends entirely on whether or not your infrastructure is currently designed for virtualization.

The AuthAnvil Password Vault is designed to be as flexible as possible, even being able to run on a domain controller, or in other single server environments, such as an SBS network. To get the best bang for your buck though, the more modern the operating system, the better.

As always, if you have any best practices questions that you’d like to see addressed, please send them to support@scorpionsoft.com, and we’ll post the answers here.